Merge pull request #46 from chronon/f/token-auth-only

chronon · web-flow · commit 7597a1070775 · 2025-10-20T15:56:49.000-04:00
f/token auth only
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -224,22 +224,22 @@ Authenticated endpoints for managing photos. All admin endpoints use shared util
   - Pattern: All admin endpoints use discriminated unions for validation results
 
 - **Upload** (`POST /admin/api/images`):
-  - Validates via Cloudflare Access (service tokens or IdP users)
+  - Validates via Cloudflare Access (service tokens)
   - Authorizes client ID against user's `authorized_client_ids` in KV
   - Uploads photo to Cloudflare Images
   - Inserts metadata to D1
   - Returns `{ success: true, id: string, filename: string, uploaded: string }`
 
 - **Lookup** (`GET /admin/api/images/by-name/[photoName]`):
-  - Validates via Cloudflare Access (service tokens or IdP users)
+  - Validates via Cloudflare Access (service tokens)
   - Authorizes client ID against user's `authorized_client_ids` in KV
   - Searches for photo by name (case-insensitive)
   - Returns most recent photo if multiple matches exist
   - Returns `{ success: true, id: string, name: string, captured: string, uploaded: string }`
   - Use case: Enables automation tools (like Apple Shortcuts) to find image ID by photo name
 
 - **Delete** (`DELETE /admin/api/images/[imageId]`):
-  - Validates via Cloudflare Access (service tokens or IdP users)
+  - Validates via Cloudflare Access (service tokens)
   - Authorizes client ID against user's `authorized_client_ids` in KV
   - Verifies ownership (prevents cross-user deletion)
   - Deletes metadata from D1
@@ -277,7 +277,7 @@ All `/admin/*` routes use centralized authentication via SvelteKit hooks:
 7. Sets `event.locals.adminAuth` with authenticated context
 8. Request proceeds to handler with authenticated user info
 
-### Supported Authentication Types
+### Supported Authentication Type
 
 **Service Tokens** (Machine-to-machine):
 
@@ -290,17 +290,6 @@ Headers:
 - Used for automated uploads from scripts/applications
 - Client ID validated against `authorized_client_ids` in KV
 
-**IdP Users** (Browser-based):
-
-```
-Headers:
-  CF-Access-Jwt-Assertion: eyJhbGc...
-```
-
-- Authenticated via identity providers (Google, GitHub, etc.)
-- Email address extracted from JWT
-- Email can be added to `authorized_client_ids` for authorization
-
 ### Local Development Bypass
 
 Development uses authentication bypass that **only** activates when `CF_ACCESS_TEAM_DOMAIN=dev`:
@@ -339,9 +328,8 @@ export const POST: RequestHandler = async ({ locals }) => {
   }
 
   const { username, identity } = locals.adminAuth;
-  // identity.type: 'service_token' | 'idp_user'
+  // identity.type: 'service_token'
   // identity.clientId: string
-  // identity.email?: string (for IdP users)
 
   // Your handler logic here...
 };
@@ -376,7 +364,6 @@ const event = {
 3. **Test with real service tokens** - Use `pnpm preview` for realistic testing
 4. **Never commit secrets** - Keep `.dev.vars` gitignored
 5. **Update authorized_client_ids** - Add client IDs to KV config for authorization
-6. **Use appropriate auth type** - Service tokens for automation, IdP for browsers
 
 ### Domain-Based Routing
 
diff --git a/.gitignore b/.gitignore
@@ -30,5 +30,6 @@ vite.config.ts.timestamp-*
 /.claude
 
 # config
-config/
+config/app.jsonc
+config/app.kv.json
 .wrangler
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -100,10 +100,9 @@ The app uses a centralized authentication system for all `/admin/*` routes:
 5. Checks client ID against user's `authorized_client_ids` in KV
 6. Sets authenticated context in `event.locals.adminAuth` for downstream handlers
 
-**Supported Authentication Types:**
+**Supported Authentication Type:**
 
 - **Service Tokens** - For automated clients (client ID from `common_name` JWT claim or header)
-- **IdP Users** - For browser-based access (client ID from `email` JWT claim)
 
 **Local Development:**
 
diff --git a/README.md b/README.md
@@ -270,7 +270,7 @@ All `/admin/*` routes are protected by a centralized authentication system that
 **Flow:**
 
 1. Request hits `/admin/*` route
-2. Cloudflare Access validates credentials at edge (service token or IdP authentication)
+2. Cloudflare Access validates credentials at edge (service token authentication)
 3. `handleAdminAuth` hook intercepts request
 4. Extracts identity from Cloudflare Access headers
 5. Validates JWT claims (expiration, issuer)
@@ -327,20 +327,14 @@ Add the Client ID to user's authorized list in `config/app.jsonc`:
 pnpm deploy
 ```
 
-### Supported Authentication Types
+### Supported Authentication Type
 
 **Service Tokens** (Machine-to-machine):
 
 - Used for automated uploads from scripts/applications
 - Client ID and secret passed via headers
 - Validated against `authorized_client_ids` in KV
 
-**IdP Users** (Browser-based):
-
-- Users authenticated via identity providers (Google, GitHub, etc.)
-- Email address extracted from JWT
-- Can be added to `authorized_client_ids` for authorization
-
 ### Local Development
 
 Local development uses an authentication bypass that only activates when `CF_ACCESS_TEAM_DOMAIN=dev`:
@@ -503,7 +497,7 @@ The application deploys as a single Cloudflare Worker with:
 - **Cloudflare KV**: Stores all configuration (global, user, authorized client IDs)
 - **Cloudflare D1**: Stores image metadata with indexed queries
 - **Cloudflare Images**: Stores and delivers photo files
-- **Cloudflare Access**: Authenticates all `/admin/*` requests with service tokens or IdP users
+- **Cloudflare Access**: Authenticates all `/admin/*` requests with service tokens
 - **Environment variables**: `CF_ACCESS_TEAM_DOMAIN`, `CF_IMAGES_TOKEN` (via wrangler vars)
 - **Development secrets**: `DEV_USER`, `DEV_CLIENT_ID` (via .dev.vars, not deployed)
 - **Auto-generated routes**: Based on `config/app.jsonc`, one route per user domain
diff --git a/config/app-example.jsonc b/config/app-example.jsonc
@@ -0,0 +1,66 @@
+{
+  "global": {
+    // Cloudflare Images delivery URL (find in Images dashboard)
+    "imageBase": "https://imagedelivery.net/YOUR-ACCOUNT-HASH",
+    // Default variant for image delivery
+    "imageVariant": "default",
+    // Username to use for localhost development
+    "devUser": "yourname"
+  },
+  "wrangler": {
+    // Cloudflare Worker name
+    "name": "photochron",
+    // Workers compatibility date
+    "compatibility_date": "2024-10-04",
+    "vars": {
+      // Cloudflare account ID (find in dashboard URL or Overview page)
+      "CF_ACCOUNT_ID": "your-cloudflare-account-id",
+      // Cloudflare Access team domain (e.g., https://yourteam.cloudflareaccess.com)
+      "CF_ACCESS_TEAM_DOMAIN": "https://yourteam.cloudflareaccess.com"
+    },
+    "kv_namespaces": [
+      {
+        "binding": "PCHRON_KV",
+        // Create with: wrangler kv namespace create PCHRON_KV
+        "id": "your-kv-namespace-id"
+      }
+    ],
+    "d1_databases": [
+      {
+        "binding": "PCHRON_DB",
+        "database_name": "photochron",
+        // Create with: wrangler d1 create photochron
+        "database_id": "your-d1-database-id"
+      }
+    ]
+  },
+  "users": {
+    // Username (used in URL path extraction)
+    "alice": {
+      // Domain for this user's gallery
+      "domain": "alice.example.com",
+      "profile": {
+        // Display name
+        "name": "alice"
+      },
+      "avatar": {
+        // Cloudflare Images ID for user avatar
+        "id": "00000000-0000-0000-0000-000000000000",
+        "variant": "default"
+      },
+      // Service token client IDs allowed to upload/delete for this user
+      "authorized_client_ids": ["your-service-token-client-id.access"]
+    },
+    "bob": {
+      "domain": "bob.example.com",
+      "profile": {
+        "name": "bob"
+      },
+      "avatar": {
+        "id": "11111111-1111-1111-1111-111111111111",
+        "variant": "default"
+      },
+      "authorized_client_ids": ["another-service-token-client-id.access"]
+    }
+  }
+}
diff --git a/package.json b/package.json
@@ -27,22 +27,22 @@
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20251011.0",
     "@eslint/compat": "^1.2.5",
-    "@eslint/js": "^9.37.0",
+    "@eslint/js": "^9.38.0",
     "@sveltejs/adapter-cloudflare": "^7.2.4",
-    "@sveltejs/kit": "^2.47.0",
+    "@sveltejs/kit": "^2.47.1",
     "@sveltejs/vite-plugin-svelte": "^6.2.1",
     "@tailwindcss/vite": "^4.1.14",
-    "@types/node": "^24.8.0",
+    "@types/node": "^24.8.1",
     "@vitest/browser": "^3.2.3",
-    "eslint": "^9.37.0",
+    "eslint": "^9.38.0",
     "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-svelte": "^3.12.4",
+    "eslint-plugin-svelte": "^3.12.5",
     "globals": "^16.4.0",
     "jsonc-parser": "^3.3.1",
     "prettier": "^3.6.2",
     "prettier-plugin-svelte": "^3.4.0",
-    "prettier-plugin-tailwindcss": "^0.7.0",
-    "svelte": "^5.40.1",
+    "prettier-plugin-tailwindcss": "^0.7.1",
+    "svelte": "^5.41.0",
     "svelte-check": "^4.3.3",
     "tailwindcss": "^4.1.14",
     "tsx": "^4.20.6",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/lib/auth.test.ts b/src/lib/auth.test.ts
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
